Ways you haven’t stopped my XSS, Number 2–backslash doesn’t encode quotes in HTML attributes

Last time in this series, I posted an example where XSS was possible because a site’s developer is unaware of the implications that his JavaScript is hosted inside of HTML. This is sort of the opposite of that, noting that time-worn JavaScript (and C, Java, C++, C#, etc) methods don’t always apply to HTML. The XSS mantra for HTML attributes I teach that XSS is prevented absolutely by appropriate contextual encoding of user data on its way out of your application and into the page. The context dictates what encoding you need, whether the context is “JavaScript string”, “JavaScript code”, … Continue reading Ways you haven’t stopped my XSS, Number 2–backslash doesn’t encode quotes in HTML attributes